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AMENDMENTS TO THE CLAIMS 

This listing of claims will replace all prior versions, and listings, of claims in the application. 
LISTING OF CLAIMS: 

1 . (Original) A method for assessing and/or managing risks for an organization, comprising the 
steps of: 

(a) inventorying a plurality of assets of the organization, wherein each asset is 
defined to be one of an electronic asset type and a location asset type, and wherein the electronic 
asset type includes computers and networking equipment therefor and the location asset type 
includes physical locations where the electronic asset types are placed; 

(b) identifying at least one criterion defining a security objective of the organization; 

(c) identifying one or more inventoried assets that relate to the identified criterion; 

(d) formulating one or more metric equations for each identified criterion, each 
metric equation being defined, in part, by the one or more identified assets, wherein each metric 
equation yields an outcome value when one or more measurements are made relating to the 
identified assets; and 

(e) assessing the risk to the organization based on the measured values of the one or 
more metric equations. 

2. (Original) The method of claim 1, wherein the step (a) comprises the step of: 
identifying the plurality of assets and storing the identified assets into a database. 

3. (Original) The method of claim 2, wherein the step of identifying the plurality of 
assets comprises at least one of: 

electronically scanning the plurality of assets; 

interviewing members of the organization to identify the plurality of assets; and 
manually identifying the plurality of assets. 
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4. (Original) The method of claim 1, wherein the plurality of assets are defined to be 
one of a user type, a user population type, a data type and a network type in addition to the 
electronic type and the location t5rpe, wherein the user type relates to an individual user and the user 
population type relates to a group of users. 

5. (Original) The method of claim 4, further comprising the step of: 
establishing at least one relationship between the plurality of assets. 

6. (Previously Presented) The method of claim 5, wherein the step of establishing the at 
least one relationship further comprises the step of 

linking a first asset defined to be in one asset type with a second asset defined to be 

in another asset type. 

7. (Previously Presented) The method of claim 5, wherein the step of establishing the at 
least one relationship further comprises the step of: 

linking a first asset defined to be in one asset type with a second asset defined to be 
in the same asset type. 

8. (Original) The method of claim 5, wherein the step (c) further comprises the step of 
identifying one or more inventoried assets that relate to the identified criterion based 

on the at least one established relationship between the plurality of assets. 

9. (Original) A system for assessing and/or managing risks for an organization, 
comprising: 

(a) means for identifying and storing a plurality of assets of the organization, wherein 
each asset is defined to be one of an electronic asset type and a location asset type, and wherein the 
electronic asset type includes computers and networking equipment therefore and the location asset 
type includes physical locations where the electronic asset types are placed; 

(b) means for identifying a plurality of criteria, each criterion defining a security 
objective of the organization; 
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(c) means for identifying a plurality of inventoried assets that relate to each 
identified criterion; and 

(d) means for formulating one or more metric equations for each identified criterion, 
each metric equation being defined, in part, by the one or more identified assets, wherein each 
metric equation yields an outcome value when one or more measurements are made relating to the 
identified assets, thereby allowing a user to assess the risk to the organization based on the 
measured values of the one or more metric equations. 

10. (Original) The system of claim 9, wherein the means (a) comprises: 

means for identifying the plurality of assets and storing the identified assets into a 

database. 

1 1 . (Original) The system of claim 10, wherein the means for identifying the pluralify of 
assets comprises at least one of: 

means for electronically scanning the pluralify of assets; 

means for interviewing members of the organization to identify the pluralify of 

assets; and 

means for manually identifying the pluralify of assets. 

1 2. (Original) The system of claim 9, wherein the plurality of assets arc defined to be 
one of a user type, a user population fype, a data type and a network type in addition to the 
electronic type and the location type, wherein the user type relates to an individual user and the user 
population type relates to a group of users. 

13. (Original) The system of claim 12, ftirther comprising: 

means for estabUshing at least one relationship between the pluralify of assets. 

14. (Previously Presented) The system of claim 13, wherein the means for establishing 
the at least one relationship further comprises: 

means for linking a first asset defined to be in one asset type with a second 
asset defined to be in another asset type. 
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15. (Previously Presented) The system of claim 13, wherein the means for establishing 
the at least one relationship further comprises: 

means for linking a first defined to be in one asset type with a second 
asset defined to be in the same asset type. 

16. (Original) The system of claim 13, wherein means (c) further comprises: 
means for identifying one or more inventoried assets that relate to the identified 

criterion based on the at least one established relationship between the plurality of assets. 

17. (Original) A system for assessing and/or managing risks for an organization, 
comprising: 

a computer configured to identify a plurality of assets of the organization, wherein 
each asset is defined to be one of an electronic asset type and a location asset type, and wherein the 
electronic asset type includes computers and networking equipment therefor and the location asset 
type includes physical locations where the electronic asset types are placed; 

a database configured to store the identified assets along with their asset types; 

means for identifying at least one criterion defining a security objective of the 
organization, wherein the computer is further configured to identify one or more inventoried assets 
that relate to the identified criterion and configured to formulate one or more metric equations for 
each identified criterion, each metric equation being defined, in part, by the one or more identified 
assets, wherein each metric equation yields an outcome value when one or more measurements are 
made relating to the identified assets, thereby allowing a user to assess the risk to the organization 
based on the measured values of the one or more metric equations. 

18. (Original) The system of claim 17, wherein the computer is further configured to: 
electronically scan the plurality of assets; 

interview members of the organization to identify the plurality of assets; and 
manually identify the plurality of assets. 
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19. (Original) The system of claim 17, wherein the plurality of assets are defined to be 
one of a user type, a user population type, a data type and a network type in addition to the 
electronic type and the location t5rpe, wherein the user type relates to an individual user and the user 
population type relates to a group of users. 

20. (Original) The system of claim 19, wherein the computer is further configured to 
establish at least one relationship between the plurality of assets. 

21 . (Previously Presented) The system of claim 20, wherein the computer is further 
configured to link a first asset defined to be in one asset type with a second asset 

defined to be in another asset type. 

22. (Previously Presented) The system of claim 20, wherein the computer is further 
configured to link a first asset defined to be in one asset type with a second asset 

defined to be in the same asset type. 

23. (Original) The system of claim 20, wherein the computer is further configured to 
identify one or more inventoried assets that relate to the identified criterion based on the at least one 
established relationship between the plurality of assets. 

24. (Original) A computer readable medium including instructions being executed by 
one or more computers, the instructions instructing the one or more computers for assessing and/or 
managing risks for an organization, the instructions comprising implementation of the steps of: 

(a) inventorying a plurality of assets of the organization, wherein each asset is 
defined to be one of an electronic asset type and a location asset type, and wherein the electronic 
asset type includes computers and networking equipment therefor and the location asset type 
includes physical locations where the electronic asset types are placed; 

(b) identifying at least one criterion defining a security objective of the organization; 

(c) identifying one or more inventoried assets that relate to the identified criterion; 

and 
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(d) formulating one or more metric equations for each identified criterion, each 
metric equation being defined, in part, by the one or more identified assets, wherein each metric 
equation yields an outcome value when one or more measurements are made relating to the 
identified assets, thereby allowing a user to assess the risk to the organization based on the 
measured values of the one or more metric equations. 

25. (Original) The medium of claim 24, wherein the step (a) comprises the step of: 
identifying the plurality of assets and storing the identified assets into a database. 

26. (Original) The medium of claim 25, wherein the step of identifying the plurality of 
assets comprises at least one of: 

electronically scanning the plurality of assets; 

interviewing members of the organization to identify the plurality of assets; and 
manually identifying the plurality of assets. 

27. (Original) The medium of claim 24, wherein the plurality of assets are defined to be 
one of a user type, a user population type, a data type and a network type in addition to the 
electronic type and the location type, wherein the user type relates to an individual user and the user 
population type relates to a group of users. 

28. (Original) The medium of claim 27, further comprising the step of: 
establishing at least one relationship between the plurality of assets. 

29. (Previously Presented) The medium of claim 28, wherein the step of establishing the 
at least one relationship further comprises the step of: 

linking a first asset defined to be in one asset type with a second asset defined to be 

in another asset type. 

30. (Previously Presented) The medium of claim 28, wherein the step of establishing the 
at least one relationship further comprises the step of: 
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linking a first asset defined to be in one asset type with a second asset defined to be 
in the same asset type. 

3 1 . (Original) The medium of claim 28, wherein the step (c) further comprises the step 

of: 

identifying one or more inventoried assets that relate to the identified criterion based 
on the at least one estabhshed relationship between the plurality of assets. 
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